<!DOCTYPE html>
<html lang="zh-CN">





<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/apple-touch-icon.png">
  <link rel="icon" type="image/png" href="/img/favicon.png">
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="description" content="安全行业从业者，主要方向PC逆向附带安卓和Linux逆向，时不时喜欢写点BUG代码">
  <meta name="author" content="Cray">
  <meta name="keywords" content="">
  <title>Flare-on 2020 WriteUp ~ 逆向安全博客</title>

  <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/5.12.1/css/all.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/css/bootstrap.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/mdbootstrap/4.13.0/css/mdb.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/github-markdown-css/3.0.1/github-markdown.min.css"  >

<link rel="stylesheet" href="//at.alicdn.com/t/font_1067060_qzomjdt8bmp.css">



  <link rel="stylesheet" href="/lib/prettify/tomorrow.min.css"  >

<link rel="stylesheet" href="/css/main.css"  >


  <link rel="stylesheet" href="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.css"  >


<meta name="generator" content="Hexo 5.2.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">


    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/">首页</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/archives/">归档</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/tags/">标签</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/links/">友链</a>
          </li>
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" data-toggle="modal" data-target="#modalSearch">&nbsp;&nbsp;<i
                class="iconfont icon-search"></i>&nbsp;&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="view intro-2" id="background" false
      style="background: url('https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201117193226883.png') no-repeat center center;
      background-size: cover;">
    
        <div class="full-bg-img">
        <div class="mask rgba-black-light flex-center">
          <div class="container text-center white-text fadeInUp">
            <span class="h2" id="subtitle">
              
                Flare-on 2020 WriteUp
              
            </span>

            
              <br>
              

              <p>
                
                  
                  &nbsp;<i class="far fa-chart-bar"></i>
                  <span class="post-count">
                    2.3k 字
                  </span>&nbsp;
                

                
                  
                  &nbsp;<i class="far fa-clock"></i>
                  <span class="post-count">
                      9 分钟
                  </span>&nbsp;
                

                
                  <!-- 不蒜子统计文章PV -->
                  
                  &nbsp;<i class="far fa-eye" aria-hidden="true"></i>&nbsp;
                  <span id="busuanzi_container_page_pv">
                    <span id="busuanzi_value_page_pv"></span> 次
                  </span>&nbsp;
                
              </p>
            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid">
  <div class="row">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-md">
      <div class="py-5 z-depth-3" id="board">
        <div class="post-content mx-auto" id="post">
          <div class="markdown-body">
            <h3 id="1"><a href="#1" class="headerlink" title="1"></a>1</h3><p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922191238565.png" srcset="/img/loading.gif" alt="image-20200922191238565"></p>
<p>给了源码和编译好的程序。编译好的就一个游戏。还是直接读代码吧</p>
<h4 id="第一个校验，输入ghost就行"><a href="#第一个校验，输入ghost就行" class="headerlink" title="第一个校验，输入ghost就行"></a>第一个校验，输入<code>ghost</code>就行</h4><p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922095514160.png" srcset="/img/loading.gif" alt="image-20200922095514160"></p>
<h4 id="第二个校验"><a href="#第二个校验" class="headerlink" title="第二个校验"></a>第二个校验</h4><p>整体意思是你要点击猫头，让它挣钱给你买flag…，当然随着时间增加金币也会增加</p>
<p>主要的校验在这，</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922095946199-1605494112685.png" srcset="/img/loading.gif" alt="image-20200922095946199"></p>
<p>整体思路就是coin要在<code>(2**36) + (2**35) &lt; current_coins &lt; ((2**36) + (2**35) + 2**20)</code></p>
<p>任意带入符合的数计算出一个token值 <code>1030</code></p>
<p>直接把这个token带入decode_flag</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922100509219-1605494115235.png" srcset="/img/loading.gif" alt="image-20200922100509219"></p>
<h3 id="还有一个偷懒的办法"><a href="#还有一个偷懒的办法" class="headerlink" title="还有一个偷懒的办法"></a>还有一个偷懒的办法</h3><p>脚本说每点一次猫头加一块钱，我们改成直接加100 Billion 一步到位</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922100824463.png" srcset="/img/loading.gif" alt="image-20200922100824463"></p>
<h2 id="2"><a href="#2" class="headerlink" title="#2"></a>#2</h2><p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922191315763.png" srcset="/img/loading.gif" alt="image-20200922191315763"></p>
<p>用了半下午，复习了PE结构，NICE！</p>
<p>根据提示是一个不完整的PE，需要修复，修复后就能拿到flag</p>
<p>下载文件后，双击执行报下面的错误，简单来说就是PE结构有问题</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922191524265.png" srcset="/img/loading.gif" alt="image-20200922191524265"></p>
<blockquote>
<p>做这题之前，只知道<code>sizeofimage</code>错误会导致这种弹窗。。。。</p>
</blockquote>
<h3 id="检查错误在哪"><a href="#检查错误在哪" class="headerlink" title="检查错误在哪"></a>检查错误在哪</h3><p>静态看PE结构，明显的UPX3.94压缩程序，需要修复才能得到最后结果</p>
<p>不明白结构无所谓，下一个<a target="_blank" rel="noopener" href="https://github.com/upx/upx/releases">相同版本</a>试一下</p>
<p>然后根据自己生成的结构进行对比，反复对比PE header几次发现头部并没有问题OTZ</p>
<p>拖到文件最后发现文件不完整</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922192759333.png" srcset="/img/loading.gif" alt="image-20200922192759333"></p>
<h3 id="补齐文件"><a href="#补齐文件" class="headerlink" title="补齐文件"></a>补齐文件</h3><p>因为不知道Manifest清单文件会照成无法打开，所以我前面全部补0，后面发现这是大坑</p>
<p><strong>正常顺序是先让程序能加载起来，再去修复导入表和重定位，但是我这之前一直找不到原因</strong></p>
<p>这个时候因该用<code>SysTrace</code>去跟踪错误信息</p>
<pre><code class="shell"> SxsTrace Trace -logfile:SxsTrace.etl   //收集跟踪信息
 SxsTrace Parse -logfile:SxsTrace.etl -outfile:SxsTrace.txt    //将刚才的信息解析为txt</code></pre>
<p>会发现错误信息如下，清单文件不正常！</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922194653385.png" srcset="/img/loading.gif" alt="image-20200922194653385"></p>
<p>用之前的demo，将他的拷贝过来。</p>
<p>由于需要一定的格式，手写太难搞了，这里用到了一个资源管理工具<code>ResEdit</code></p>
<p>修改好后，惊喜的发现能跑了，但是会出访问异常，但至少能调试了！！！OTZ</p>
<h3 id="修复导入表"><a href="#修复导入表" class="headerlink" title="修复导入表"></a>修复导入表</h3><p>本以为文件大小全都齐全了，然后直接去修复IAT，因为是壳程序，比较特别，一般都只有几个固定的导出函数，被加壳程序的导出函数由壳去加载。</p>
<p>这里对比我自己生成的Demo，发现只有四个必须的（后面会发现还有一个)</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922193305906.png" srcset="/img/loading.gif" alt="image-20200922193305906"></p>
<p>直接上010edit修，暂时没有其他好办法，修好后如下</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200922195141071.png" srcset="/img/loading.gif" alt="image-20200922195141071"></p>
<p>具体修改方法参考这图结构去找</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/20190923111618343.jpg" srcset="/img/loading.gif" alt="20190923111618343"></p>
<p>基本上就这两个东西，中间有些细节，边调边修</p>
<p>因为这个壳会把文件偏移改错，所以用软件的FOA转RVA这类工具可能会出错，需要自己手动计算一下</p>
<h3 id="4"><a href="#4" class="headerlink" title="#4"></a>#4</h3><p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200924114207224.png" srcset="/img/loading.gif" alt="image-20200924114207224"></p>
<p>打开后是一个标准宏木马</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200923172508067.png" srcset="/img/loading.gif" alt="image-20200923172508067"></p>
<h4 id="问题1"><a href="#问题1" class="headerlink" title="问题1"></a>问题1</h4><p>直接运行宏，报错，然后<code>ALT+F11</code>看一下源码</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200923172601816.png" srcset="/img/loading.gif" alt="image-20200923172601816"></p>
<p>我找了一圈都没找到问题，有说语法错误的，有说语言错误的</p>
<p>看了一圈代码，代码量还行，整理下思绪，但是能不硬刚就不刚，语法感觉没问题，有问题我也改不好。。。</p>
<p>确实有语言导致宏运行不起来的，放到any run上去试试，发现有很多大哥已经试过了，也是报错。</p>
<h4 id="解决办法"><a href="#解决办法" class="headerlink" title="解决办法"></a>解决办法</h4><p>重开一个带宏的xlsm，将给的宏全部拷贝过去，保存运行，没问题了。。。</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200923173229424.png" srcset="/img/loading.gif" alt="image-20200923173229424"></p>
<p>重新保存后还是报错，但是至少能跑起来。。。</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200923173604169.png" srcset="/img/loading.gif" alt="image-20200923173604169"></p>
<p>直接调</p>
<p>整体含义如下</p>
<ol>
<li>从窗体控件中读数据动态解密</li>
<li>调用WMI执行”SELECT Name FROM Win32_Process”</li>
<li>判断是否有vmt、vmw、vbox相关进程，有就退出</li>
<li>从控件中读取数据并使用密钥解密，数据保存到本地</li>
</ol>
<p>然后你会得到一个MP3文件…玩了一晚上以为是MP3文件隐写，各种工具用完了，又仔细品味提示信息</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200924094158801.png" srcset="/img/loading.gif" alt="image-20200924094158801"></p>
<p>其实问题不在这，是代码出问题了，那么问题是什么呢？<strong>其实是微软VBA的反编译器的问题了！</strong></p>
<h4 id="正规做法"><a href="#正规做法" class="headerlink" title="正规做法"></a>正规做法</h4><p>先给出参考文章</p>
<p><a target="_blank" rel="noopener" href="https://isc.sans.edu/forums/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870/">https://isc.sans.edu/forums/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870/</a></p>
<p>VBA编写的宏可以以3种方式存在</p>
<ol>
<li><p><em>Source code</em></p>
<blockquote>
<p>宏模块的原始源代码被压缩并存储在模块流的末尾。这使得查找和提取相对容易，并且大多数免费的DFIR工具（例如<a target="_blank" rel="noopener" href="https://blog.didierstevens.com/programs/oledump-py/">oledump</a>或<a target="_blank" rel="noopener" href="http://www.decalage.info/python/olevba">olevba）</a>甚至许多专业的防病毒工具都仅以这种形式进行宏观分析。但是，大多数情况下，Office会完全忽略源代码。实际上，可以删除源代码（并因此使所有这些工具都认为没有宏），但是宏仍将执行而不会出现任何问题。</p>
</blockquote>
</li>
<li><p><em>P-code</em></p>
<blockquote>
<p>将每条VBA行输入到VBA编辑器中后，立即将其编译为p代码（堆栈机的伪代码）并存储在模块流中的其他位置。<em>P-code</em>正是大多数时间执行的代码。实际上，即使在VBA编辑器中打开宏模块的源代码时，显示的也不是经过解压缩的源代码，而是被反编译为源代码的p代码。只有在使用与创建该文档使用的VBA版本不同的Office版本的Office版本下打开该文档时，才将存储的压缩源代码重新编译为p代码，然后执行该p代码。这样就可以在任何支持VBA的Office版本上打开包含VBA的文档，并使其中的宏保持可执行状态，</p>
</blockquote>
</li>
<li><p><em>Execodes</em></p>
<blockquote>
<p>当p代码至少执行了一次后，它的另一种标记形式将存储在文档中的其他位置（在流中，其名称以开头<code>__SRP_</code>，后跟数字）。从那里可以更快地执行它。但是，execode的格式非常复杂，并且特定于创建它们的特定Office版本（不是VBA版本）。这使得它们极不可携带。此外，它们的存在不是必需的-可以将它们删除，并且宏将运行正常（从p代码开始）。</p>
</blockquote>
</li>
</ol>
<p>总结一下：大多数情况下，带宏的office文档的宏功能都是由P-code决定，即使存在源代码，也仅仅是用于分析。所以分析一个带宏的office流文件，直接去拿它的P-code分析</p>
<p>这里推荐<a target="_blank" rel="noopener" href="https://github.com/Big5-sec/pcode2code">pcode2code</a> 真的是好工具，基于<a target="_blank" rel="noopener" href="https://github.com/bontchev/pcodedmp">pcodedmp</a>，免去人工分析P-code</p>
<p>直接编译处report.xls的P-code</p>
<pre><code class="vb">None
stream : _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1785 bytes
########################################

Sub Workbook_Open()
  Sheet1.folderol
End Sub

Sub Auto_Open()
  Sheet1.folderol
End Sub
stream : _VBA_PROJECT_CUR/VBA/F - 1388 bytes
########################################


stream : _VBA_PROJECT_CUR/VBA/Sheet1 - 10518 bytes
########################################

Private Declare Function InternetGetConnectedState Lib &quot;wininet.dll&quot; (ByRef dwflags As Long, ByVal dwReserved As Long) As Long

  Private Declare PtrSafe Function mciSendString Lib &quot;winmm.dll&quot; (ByVal lpstrCommand As String, ByVal lpstrReturnString As , ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long

    Private Declare Function GetShortPathName Lib &quot;kernel32&quot; (ByVal lpszLongPath As String, ByVal lpszShortPath As String, ByVal lBuffer As Long) As Long

      Public Function GetInternetConnectedState(id_FFFE As Boolean) As Boolean
        GetInternetConnectedState = InternetGetConnectedState(0, 0)
      End Function

      Function rigmarole(es As String, id_FFFE As String) As String
        Dim furphy As String
        Dim c As Integer
        Dim s As String
        Dim cc As Integer
        furphy = &quot;&quot;
        For i = 1 To Len(es) Step 4
          c = CDec(&quot;&amp;H&quot; &amp; Mid(es, i, 2))
          s = CDec(&quot;&amp;H&quot; &amp; Mid(es, i + 2, 2))
          cc = c - s
          furphy = furphy + Chr(cc)
        Next i
        rigmarole = furphy
      End Function

      Function folderol(id_FFFE As Variant)
        Dim wabbit As Byte
        Dim fn As Integer: fn = FreeFile
        Dim onzo As String
        Dim mf As String
        Dim xertz As Variant
        Dim buff(0 To 7) As Byte

        onzo = Split(F.L, &quot;.&quot;)

        If GetInternetConnectedState = False Then
          MsgBox &quot;Cannot establish Internet connection.&quot;, vbCritical, &quot;Error&quot;
          End
        End If

        Set fudgel = GetObject(rigmarole(onzo(7)))
        Set twattling = fudgel.ExecQuery(rigmarole(onzo(8)), , 48)
        For Each p In twattling
          Dim pos As Integer
          pos = Instr(LCase(p.Name), &quot;vmw&quot;) + Instr(LCase(p.Name), &quot;vmt&quot;) + Instr(LCase(p.Name), rigmarole(onzo(9)))
          If pos &gt; 0 Then
            MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
            End
          End If
        Next

        xertz = Array(&amp;H11, &amp;H22, &amp;H33, &amp;H44, &amp;H55, &amp;H66, &amp;H77, &amp;H88, &amp;H99, &amp;HAA, &amp;HBB, &amp;HCC, &amp;HDD, &amp;HEE)

        Set groke = CreateObject(rigmarole(onzo(10)))
        firkin = groke.UserDomain
        If firkin &lt;&gt; rigmarole(onzo(3)) Then
          MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
          End
        End If

        n = Len(firkin)
        For i = 1 To n
          buff(n - i) = Asc(Mid$(firkin, i, 1))
        Next

        wabbit = canoodle(F.T.Text, 2, 285729, buff)
        mf = Environ(rigmarole(onzo(0))) &amp; rigmarole(onzo(11))
        Open mf For Binary Lock Read Write As #fn
&#39; a generic exception occured at line 68: cannot concatenate &#39;str&#39; and &#39;NoneType&#39; objects
&#39;    # Ld fn
&#39;    # Sharp
&#39;    # LitDefault
&#39;    # Ld wabbit
&#39;    # PutRec
        Close #fn

        Set panuding = Sheet1.Shapes.AddPicture(mf, False, True, 12, 22, 600, 310)
      End Function

      Function canoodle(panjandrum As String, ardylo As Integer, s As Long, bibble As Variant, id_FFFE As ) As Append
        Dim quean As Long
        Dim cattywampus As Long
        Dim kerfuffle As Byte
        ReDim kerfuffle(s)
        quean = 0
        For cattywampus = 1 To Len(panjandrum) Step 4
          kerfuffle(quean) = CByte(&quot;&amp;H&quot; &amp; Mid(panjandrum, cattywampus + ardylo, 2)) Xor bibble(quean Mod (UBound(bibble) + 1))
          quean = quean + 1
          If quean = UBound(kerfuffle) Then
            Exit For
          End If
        Next cattywampus
        canoodle = kerfuffle
      End Function
</code></pre>
<p>这才是该文档的真正要执行的代码，但是有Bug，读读代码就能找到，其实就是在保存数据到文件格式出错</p>
<p>直接按照前面的正常代码改</p>
<p>这里还多了个判断，判断主机用户名是否是<code>FLARE-ON</code>，直接变量赋值，完事！</p>
<p>最后效果如下</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20200924113620007.png" srcset="/img/loading.gif" alt="image-20200924113620007"></p>

            <hr>
          </div>
          <br>
          <div>
            <p>
            
            
              <span>
                <i class="iconfont icon-tag"></i>
                
                  <a class="hover-with-bg" href="/tags/CTF/">CTF</a>
                
              </span>
            
            </p>
            
              <p class="note note-warning">本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://zh.wikipedia.org/wiki/Wikipedia:CC_BY-SA_3.0%E5%8D%8F%E8%AE%AE%E6%96%87%E6%9C%AC" rel="nofollow noopener noopener">CC BY-SA 3.0协议</a> 。转载请注明出处！</p>
            
          </div>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container">
        <div id="toc">
  <p class="h5"><i class="far fa-list-alt"></i>&nbsp;目录</p>
  <div id="tocbot"></div>
</div>
      </div>
    
  </div>
</div>

<!-- custom -->


<!-- Comments -->
<div class="col-lg-7 mx-auto nopadding-md">
  <div class="container comments mx-auto" id="comments">
    
      <br><br>
      
      
  <div class="disqus" style="width:100%">
    <div id="disqus_thread"></div>
    <script>
      var disqus_config = function () {
        this.page.url = 'http://cve.gitee.io/cve/2020/10/25/flare_1/';
        this.page.identifier = '/2020/10/25/flare_1/';
      };
      var oldLoad = window.onload;
      window.onload = function () {
        var d = document, s = d.createElement('script');
        s.type = 'text/javascript';
        s.src = '//' + 'crayon-1' + '.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
      };
    </script>
    <noscript>Please enable JavaScript to view the <a target="_blank" href="https://disqus.com/?ref_noscript" rel="nofollow noopener noopener">comments
        powered by Disqus.</a></noscript>
  </div>


    
  </div>
</div>

    
  </main>

  
    <a class="z-depth-1" id="scroll-top-button" href="#" role="button">
      <i class="fa fa-chevron-up scroll-top-arrow" aria-hidden="true"></i>
    </a>
  

  
    <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
  

  <footer class="mt-5">
  <div class="text-center py-3">
    <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><b>Hexo</b></a>
    <i class="iconfont icon-love"></i>
    <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"> <b>Fluid</b></a>
    <br>

    
  
    <!-- 不蒜子统计PV -->
    
    &nbsp;<span id="busuanzi_container_site_pv"></span>总访问量 
          <span id="busuanzi_value_site_pv"></span> 次&nbsp;
  
  
    <!-- 不蒜子统计UV -->
    
    &nbsp;<span id="busuanzi_container_site_uv"></span>总访客数 
            <span id="busuanzi_value_site_uv"></span> 人&nbsp;
  
  <br>



    


    <!-- cnzz Analytics icon -->
    

  </div>
</footer>

<!-- SCRIPTS -->
<script src="https://cdn.staticfile.org/jquery/3.4.1/jquery.min.js" ></script>
<script src="https://cdn.staticfile.org/popper.js/1.16.1/umd/popper.min.js" ></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/js/bootstrap.min.js" ></script>
<script src="https://cdn.staticfile.org/mdbootstrap/4.13.0/js/mdb.min.js" ></script>
<script src="/js/main.js" ></script>


  <script src="/js/lazyload.js" ></script>



  
  <script src="https://cdn.staticfile.org/tocbot/4.10.0/tocbot.min.js" ></script>
  <script>
    $(document).ready(function () {
      var navHeight = $('#navbar').height();
      var toc = $('#toc');
      var main = $('main');
      var tocT = navHeight + (toc.offset().top - main.offset().top);
      var tocLimMin = main.offset().top - navHeight;
      var tocLimMax = $('#comments').offset().top - navHeight;
      $(window).scroll(function () {
        var scroH = document.body.scrollTop + document.documentElement.scrollTop;
        if (tocLimMin <= scroH && scroH <= tocLimMax) {
          toc.css({
            'display': 'block',
            'position': 'fixed',
            'top': tocT,
          });
        } else if (scroH <= tocLimMin) {
          toc.css({
            'position': '',
            'top': '',
          });
        } else if (scroH > tocLimMax) {
          toc.css('display', 'none');
        }
      });
      tocbot.init({
        tocSelector: '#tocbot',
        contentSelector: '.post-content',
        headingSelector: 'h1,h2,h3,h4,h5,h6',
        linkClass: 'tocbot-link',
        activeLinkClass: 'tocbot-active-link',
        listClass: 'tocbot-list',
        isCollapsedClass: 'tocbot-is-collapsed',
        collapsibleClass: 'tocbot-is-collapsible',
        scrollSmooth: true,
      });
      if ($('.toc-list-item').length > 0) {
        $('#toc > p').css('visibility', 'visible');
      }
    });
  </script>







  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>


<!-- Plugins -->



  <script src="https://cdn.staticfile.org/prettify/188.0.0/prettify.min.js" ></script>
  <script>
    $(document).ready(function () {
      $('pre').addClass('prettyprint  linenums');
      prettyPrint();
    })
  </script>





  <script src="https://cdn.staticfile.org/anchor-js/4.2.2/anchor.min.js" ></script>
  <script>
    anchors.options = {
      placement: "right",
      visible: "hover",
      
    };
    var el = "h1,h2,h3,h4,h5,h6".split(",");
    var res = [];
    for (item of el) {
      res.push(".markdown-body > " + item)
    }
    anchors.add(res.join(", "))
  </script>



  <script src="/js/local-search.js" ></script>
  <script>
    var path = "/local-search.xml";
    var inputArea = document.querySelector("#local-search-input");
    inputArea.onclick = function () {
      getSearchFile(path);
      this.onclick = null
    }
  </script>



  <script src="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.js" ></script>
  <script>
    $("#post img:not(.no-zoom img, img[no-zoom])").each(
      function () {
        var element = document.createElement("a");
        $(element).attr("data-fancybox", "images");
        $(element).attr("href", $(this).attr("src"));
        $(this).wrap(element);
      }
    );
  </script>












</body>
</html>
